Hello,
I`ve got proposition of new feature for the Moodle. SSO module based on the OpenID. I wonder if anybody has tried to do something similiar.
It could be a great thing for integration Moodle with another applications (example: Moodle and Drupal (http://lampuniversity.org)) without changing core code.
What do you think about that?
A presentation giving an overview of OpenID: http://www.openidenabled.com/resources/drupal/openid.html
best regards
Sebastian Komorowski
In reply to Sebastian Komorowski
Re: OpenID module (Single-Sign-On with another apps)
by Martín Langhoff -
I have reviewed OpenID, and I don't think it is for actual SSO for any services you care about. It's more for "guest access with auto-complete my details".
In fact is is a central authentication service like a LDAP authorization.
On Drupals side we are thinking like started at http://groups.drupal.org/node/1048
On Drupals side we are thinking like started at http://groups.drupal.org/node/1048
In reply to Thomas Narres
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
Yes, you have right Thomas. But there is some extra vaule of OpenID. You don`t have to be owner of the server.
Thomas,
the 2nd slide in that URL says
Not a trust system. "Trust requires identity first"
which means that it is not like LDAP. It also means that it is not a valid means for SSO for most of the uses I can think of.
What kind of scenarios would you use OpenID in?
OpenID and LDAP are in fact that, what is called Identity management systems. The goal is to get a Single Sign On, so that web-applications are able to share their user data. That may called a Web-SSO.
In fact OpenID and LDAP are not the same, but similar. There are a lot of other techniques, too.
The OpenID is a very popular authentication method for web access and user verification.
You may use one of the public servers like https://getopenid.com/, http://www.myopenid.com/ or one of the others, but you may also create your own OpenID-Server.
The benefit is to have a centralized user authentification.
In fact OpenID and LDAP are not the same, but similar. There are a lot of other techniques, too.
The OpenID is a very popular authentication method for web access and user verification.
You may use one of the public servers like https://getopenid.com/, http://www.myopenid.com/ or one of the others, but you may also create your own OpenID-Server.
The benefit is to have a centralized user authentification.
In fact OpenID and LDAP are not the same, but similar.
Can you elaborate on the point? It doesn't make much sense to me, having worked a lot with LDAP, PAM, done a few SSO implementations. I mean we can say they are "similar" at a naive high level. But we are talking underlying protocols, trust models and implementations, right?
LDAP is a directory (OpenID is not), LDAP can be used as a trust system (specially strong paired with Kerberos -- OpenID cannot be used as trust system and cannot work in a Kerberized environment). LDAP cannot do SSO, where OpenID can -- IOWs LDAP is a tcp/ip protocol, OpenID is a Web2.0 protocol.
LDAP has a lot of support for delegation, caching, mirroring, recursive querying, a full blown search system. OpenID does not have any of these.
LDAP can be a data repository (albeit it is not an RDBMS but a tree-structured database) and is widely used to distribute host configuration data (it is one of the uses of AD, and also used a lot in the unix space for network-wide managemetn). OpenID has nothing on that area.
So, both run on TCP/IP. Both can validate a username, though with radically different approaches (and features/limitations). So the overlap is minimal in my book.
Which is good of course. Different tools fit different scenarios -- I don't want to have a million tools that do exactly the same with different name, protocol and configuration.
But anywhere you'd clearly use LDAP, you would not use OpenID. And viceversa.
In reply to Martín Langhoff
Re: OpenID module (Single-Sign-On with another apps)
by Bill Fitzgerald -
Hello, Martin,
OpenID has some flexible options wrt user management -- you can pull user info from anything from a .pwd file to a mysql db to an LDAP directory -- so, it's possible to integrate OpenID cleanly and simply alongside legacy systems without duplicating user data -- I give an overview of these, and other, details in this blog post.
Cheers,
Bill
OpenID has some flexible options wrt user management -- you can pull user info from anything from a .pwd file to a mysql db to an LDAP directory -- so, it's possible to integrate OpenID cleanly and simply alongside legacy systems without duplicating user data -- I give an overview of these, and other, details in this blog post.
Cheers,
Bill
Your post is interesting but quite misinformed.
LDAP can be used as an SSO system. You just have multiple applications (even web ones like KnowledgeTree) access the same LDAP server for user authentication.
And OpenID can have trust layered on top of it. You should never confuse "not included in the protocol" with "incapable of integration with." Almost any trust mechanism could be layered on top of OpenID. OpenID just doesn't require one in order to keep the protocol lightweight.
Saying OpenID can't have a trust mechanism is like saying HTTP can't do SSL.
LDAP can be used as an SSO system. You just have multiple applications (even web ones like KnowledgeTree) access the same LDAP server for user authentication.
And OpenID can have trust layered on top of it. You should never confuse "not included in the protocol" with "incapable of integration with." Almost any trust mechanism could be layered on top of OpenID. OpenID just doesn't require one in order to keep the protocol lightweight.
Saying OpenID can't have a trust mechanism is like saying HTTP can't do SSL.
Hello, David --
RE: " Your post is interesting but quite misinformed." -- as you and I are saying similar things, I'm assuming your comment doesn't apply to me.
From the way this forum displays comments, the "post" to which you refer is not immediately clear.
Cheers,
Bill
RE: " Your post is interesting but quite misinformed." -- as you and I are saying similar things, I'm assuming your comment doesn't apply to me.
From the way this forum displays comments, the "post" to which you refer is not immediately clear.
Cheers,
Bill
Actually, this forum makes it very clear who is responding to whom. Responses are indented under the posts to which they apply. My post is not indented under yours. Hence, it is not a reply to it. My previous post is responding to the same post as yours.
"LDAP can be used as an SSO system. You just have multiple applications (even web ones like KnowledgeTree) access the same LDAP server for user authentication."
This provides the same username and password, but how would you do SSO (user only enters their username and password once, and is authenticated on a set of different applications) with LDAP only?
AFAIK, you need a server side authentication system such as pubcookie or CAS (which may use LDAP as the directory server) to provide SSO. From wikipedia anyway, it sounds like OpenID is not a good choice for securing sensitive information like student grades and identies?
The philosophy is different from single sign-on, where authentication plays a major part, because OpenID does not rely on a trust mechanism. Therefore, OpenID is not meant to be used on sensitive accounts (banking, on-line purchasing and so on).
http://en.wikipedia.org/wiki/OpenID
Vs. CAS and PubCookie.
In reply to Michael Penney
Re: OpenID module (Single-Sign-On with another apps)
by Bill Fitzgerald -
Hello, Michael,
RE: LDAP -- this is also my experience -- multiple apps accessing an LDAP server provide the same username and password for every app, but does not provide SSO.
However, the OpenID info you give needs to be examined in a little more detail.
Consider this scenario:
A school sets up an OpenId server, and several sites as OpenID client sites. The OpenID client sites can be configured to only accept logins from the school's OpenID server. So, any login from an outside OpenID server will be summarily rejected.
For the OpenID SSO to work, the owner of the OpenID profile must choose to trust the client site. This trust can be granted forever, once, or not at all, and it can be revoked at any time. So, OpenID does not give a blank check to all the sites within a network -- the user must determine which sites to trust -- and then, within each individual site, the user can be given privileges accordingly.
Additionally, with OpenID, the user chooses what info to share with each site -- the OpenID protocol does not manage identity -- it just manages SSO -- the simple registration extension allows for some profile management across sites, but this is an extension to the protocol, not a part of it.
OpenID doesn't secure "sensitive information like student grades and identies" -- the web sites/databases do that -- OpenID is *only* an SSO mechanism -- Security on a site using OpenID is largely like security on a site using any other SSO mechanism -- the single greatest threat to security will always be a user compromising the integrity of their login or password.
And the day someone shows me a protocol that can protect against that -- well, that would be quite the invention
The wikipedia page on OpenID is woefully general, and like most things general, prone to inaccuracies. A better starting point for what OpenID can and can't do is http://www.openidenabled.com/
Also, wrt security, OpenID worked for Verisign. Their FAQ also gives insight -- albeit in non-technical terms -- into what OpenID can and can't do.
Cheers,
Bill
RE: LDAP -- this is also my experience -- multiple apps accessing an LDAP server provide the same username and password for every app, but does not provide SSO.
However, the OpenID info you give needs to be examined in a little more detail.
Consider this scenario:
A school sets up an OpenId server, and several sites as OpenID client sites. The OpenID client sites can be configured to only accept logins from the school's OpenID server. So, any login from an outside OpenID server will be summarily rejected.
For the OpenID SSO to work, the owner of the OpenID profile must choose to trust the client site. This trust can be granted forever, once, or not at all, and it can be revoked at any time. So, OpenID does not give a blank check to all the sites within a network -- the user must determine which sites to trust -- and then, within each individual site, the user can be given privileges accordingly.
Additionally, with OpenID, the user chooses what info to share with each site -- the OpenID protocol does not manage identity -- it just manages SSO -- the simple registration extension allows for some profile management across sites, but this is an extension to the protocol, not a part of it.
OpenID doesn't secure "sensitive information like student grades and identies" -- the web sites/databases do that -- OpenID is *only* an SSO mechanism -- Security on a site using OpenID is largely like security on a site using any other SSO mechanism -- the single greatest threat to security will always be a user compromising the integrity of their login or password.
And the day someone shows me a protocol that can protect against that -- well, that would be quite the invention
The wikipedia page on OpenID is woefully general, and like most things general, prone to inaccuracies. A better starting point for what OpenID can and can't do is http://www.openidenabled.com/
Also, wrt security, OpenID worked for Verisign. Their FAQ also gives insight -- albeit in non-technical terms -- into what OpenID can and can't do.
Cheers,
Bill
In reply to Bill Fitzgerald
Re: OpenID module (Single-Sign-On with another apps)
by Dirk Herr-Hoyman -
The diagram on http://www.openidenabled.com/openid/openid-protocol
and beheath this page one with a multi-party diagram do shed some
light on how OpenID works. A similar diagram is behind Pubcookie,
the difference being OpenID is multi-site, multi-organization.
Really, the thing to do is to take this guy for a spin and watch it work.
With some small effort, I could see how the Moodle user profile could
be enhanced with OpenID.
and beheath this page one with a multi-party diagram do shed some
light on how OpenID works. A similar diagram is behind Pubcookie,
the difference being OpenID is multi-site, multi-organization.
Really, the thing to do is to take this guy for a spin and watch it work.
With some small effort, I could see how the Moodle user profile could
be enhanced with OpenID.
OpenID only provides identity. The user submitted credentials include identity source information. There is no reasonable way to truly trust the identity source as the protocol allows for ANY source of identity information. The identity source is considered authoritative for it's namespace only. As Bill mentioned, the solution is to limit identity sources to those you trust.
As people have pointed out, OpenID is NOT SSO. OpenID is merely a shared identity service. SSO can presumeably be added on top of OpenID to allow one to sign in only once across multiple sites/applications. The default OpenID implementation still requires users to sign on per site/application.
As people have pointed out, OpenID is NOT SSO. OpenID is merely a shared identity service. SSO can presumeably be added on top of OpenID to allow one to sign in only once across multiple sites/applications. The default OpenID implementation still requires users to sign on per site/application.
In reply to Rob Wohleb
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
There is possibility for resolving that problem mixing AJAX with Iframes for some group of application.
I will try to do it.
I will try to do it.
Again, people need to stop confusing "not required by OpenID" with "impossible with OpenID." If you need a trust mechanism, use one.
If a site needs high security, then it has a few options. One is requring an additional password for really important areas. Another is building trusted relationships with mutiple OpenID servers.
If a site needs high security, then it has a few options. One is requring an additional password for really important areas. Another is building trusted relationships with mutiple OpenID servers.
In reply to Martín Langhoff
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
Hello Martin,
I think that it will be useful for Moodle.
At the elgg roadmap there is point about OpenID integration. There is module for the Drupal. There is possbility to integrate it in that way with Moodle.
I think that it will be useful for Moodle if you have your own OpenID server and you can filter your users for some specific access rights. For example you have Elgg blogs with OpenID as the login. Then you are choosing only that logins which are from your OpenID server, the rest have only guest access or some simple rights.
Maybe I`m wrong ;) I don`t know yet.
I think that it will be useful for Moodle.
At the elgg roadmap there is point about OpenID integration. There is module for the Drupal. There is possbility to integrate it in that way with Moodle.
I think that it will be useful for Moodle if you have your own OpenID server and you can filter your users for some specific access rights. For example you have Elgg blogs with OpenID as the login. Then you are choosing only that logins which are from your OpenID server, the rest have only guest access or some simple rights.
Maybe I`m wrong ;) I don`t know yet.
In reply to Sebastian Komorowski
Re: OpenID module (Single-Sign-On with another apps)
by Douglas Dixon -
Currently Humboldt State University's Courseware Development Center is working on getting pubcookie and single signon for moodle and drupal working. We are hoping to have the code completed soon. I will post a message here when we have it done.
In reply to Douglas Dixon
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
Hi,
Will you share that code?
It will be really nice ;)
Sebastian
Will you share that code?
It will be really nice ;)
Sebastian
In reply to Sebastian Komorowski
Re: OpenID module (Single-Sign-On with another apps)
by Richie Foreman -
I don't mean to point fingers, or be mean, but isnt OpenID targeted for Blogs, LiveJournals, and the like?
In reply to Richie Foreman
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
Yes, it is. But there is easy way of using it for Moodle.
If we have Elgg/Moodle integration with Elgg as the OpenID server we can use it for better control of flowing data to each one application and of course SSO.
You can control access rights for the users with checking the name of domain and closing registration process to yours OpenID server.
If we have Elgg/Moodle integration with Elgg as the OpenID server we can use it for better control of flowing data to each one application and of course SSO.
You can control access rights for the users with checking the name of domain and closing registration process to yours OpenID server.
In reply to Douglas Dixon
Re: OpenID module (Single-Sign-On with another apps)
by Michael Goldblatt -
Hi Douglas-
I was just trolling through the forums looking for info Pubcookie integration and saw your post. Have you been having much success getting it to work?
Thanks,
Michael
I was just trolling through the forums looking for info Pubcookie integration and saw your post. Have you been having much success getting it to work?
Thanks,
Michael
In reply to Michael Goldblatt
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
In reply to Sebastian Komorowski
Re: OpenID module (Single-Sign-On with another apps)
by Sebastian Komorowski -
| OpenID Plugin for Moodle 1.6 now available | 
|
Bill Fitzgerald |
Congratulations!
Sebastian